Accessing the Apache Airflow UI - Amazon Managed Workflows for Apache Airflow

Accessing the Apache Airflow UI

After you create an environment, a link to the Apache Airflow UI is added to the Environments table in the Amazon MWAA console. The permissions to access the Apache Airflow UI in your environment are managed by IAM. To use the link to access the Apache Airflow, you must have the necessary permissions. To grant the permissions to a user or role, you must attach a policy similar to the Apache Airflow UI access.

In addition to attaching the necessary permission policy that grants access to the Apache Airflow UI, you must also use tokens in the request to access the UI.

Web login token

Use the CreateWebLoginToken API action to create a short-lived token that allows a user to log into Apache Airflow web UI. The generated token are valid for only 60 seconds.

The following is an example of a web server access URL that includes a CreateWebLoginToken token.

https://<webServerHostName>/aws_mwaa/aws-console-sso?login=true#<webToken>

Request

{ "name": "<Name of the environment>" }

Response

{ "webToken": "<Short-lived token generated for enabling access to the Apache Airflow Webserver UI>", "webServerHostname": "<Hostname for the WebServer of the environment>" }

CLI token

Use the CreateCliToken API action to create a short-lived token that allows a user to invoke the Airflow CLI via an endpoint on the Apache Airflow Webserver. The generated token is valid for only 60 seconds after creation.

The following example POST request demonstrates how to access the Apache Airflow Webserver using curl:

export WEB_SERVER_HOSTNAME="<webServerHostname>" export CLI_TOKEN="<cliToken>" curl --request POST "https://$WEB_SERVER_HOSTNAME/aws_mwaa/cli" \ --header "Authorization: Bearer $CLI_TOKEN" \ --header "Content-Type: text/plain" \ --data-raw "show_dag my_dag"

The response of a successful POST call contains the following JSON object:

Response

{ "stderr":"<STDERR of the CLI execution (if any), base64 encoded>", "stdout":"<STDOUT of the CLI execution, base64 encoded>" }

The following example demonstrates an additional method to create a CLI token:

# brew install jq aws mwaa create-cli-token --name MWAAEnvironmentName | export CLI_TOKEN=$(jq -r .CliToken) && curl --request POST "https://$WEB_SERVER_HOSTNAME/aws_mwaa/cli" \ --header "Authorization: Bearer $CLI_TOKEN" \ --header "Content-Type: text/plain" \ --data-raw "trigger_dag DAGName"

Supported Apache Airflow CLI commands

The following Apache Airflow CLI commands are supported when using Apache Airflow in an Amazon MWAA environment:

  • dag_state

  • delete_dag

  • list_dag_runs

  • list_dags

  • list_tasks

  • next_execution

  • pause

  • pool

  • render

  • run

  • show_dag

  • task_failed_deps

  • task_state

  • test

  • trigger_dag

  • unpause

  • variables

  • version

Unsupported Apache Airflow CLI commands

The following Apache Airflow CLI commands are not supported when running Apache Airflow in an Amazon MWAA environment.

  • checkdb

  • connections

  • create_user

  • delete_user

  • flower

  • initdb

  • kerberos

  • list_users

  • resetdb

  • rotate_fernet_key

  • scheduler

  • serve_logs

  • shell

  • sync_perm

  • upgradedb

  • webserver

  • worker